A. Determines the optimal number of IPS engines required based on system load.B. Downloads signatures on demand from FDS based on scanning requirements.C. Determines when it is secure enough to stop scanning session traffic.D. Choose a matching algorithm based on available memory and the type of inspection being performed.

Answer: D

QUESTION 86An administrator has configured the following CLI script on FortiManager, which failed to apply any changes to the managed device after being executed.

Why didn’t the script make any changes to the managed device?

A. Commands that start with the # sign are not executed.B. CLI scripts will add objects only if they are referenced by policies.C. Incomplete commands are ignored in CLI scripts.D. Static routes can only be added using TCL scripts.

Answer: B

QUESTION 87View the exhibit, which contains a partial web filter profile configuration, and then answer the question below.

Which action will FortiGate take if a user attempts to access www.dropbox.com, which is categorized as File Sharing and Storage?

A. FortiGate will exempt the connection based on the Web Content Filter configuration.B. FortiGate will block the connection based on the URL Filter configuration.C. FortiGate will allow the connection based on the FortiGuard category based filter configuration.D. FortiGate will block the connection as an invalid URL.

Answer: B

QUESTION 88Which configuration can be used to reduce the number of BGP sessions in an IBGP network?

A. Neighbor rangeB. Route reflectorC. Next-hop-selfD. Neighbor group

Answer: B

QUESTION 89View the exhibit, which contains the output of get sys ha status, and then answer the question below.

Which statements are correct regarding the output? (Choose two.)

A. The slave configuration is not synchronized with the master.B. The HA management IP is 169.254.0.2.C. Master is selected because it is the only device in the cluster.D. port 7 is used the HA heartbeat on all devices in the cluster.

Answer: AC

QUESTION 90View the exhibit, which contains the partial output of an IKE real time debug, and then answer the question below.

The administrator does not have access to the remote gateway. Based on the debug output, what configuration changes can the administrator make to the local gateway to resolve the phase 1 negotiation error?

QUESTION 91View the exhibit, which contains the output of a diagnose command, and the answer the question below.

Which statements are true regarding the Weight value?

A. Its initial value is calculated based on the round trip delay (RTT).B. Its initial value is statically set to 10.C. Its value is incremented with each packet lost.D. It determines which FortiGuard server is used for license validation.

Answer: C

QUESTION 92In which of the following states is a given session categorized as ephemeral? (Choose two.)

A. A TCP session waiting to complete the three-way handshake.B. A TCP session waiting for FIN ACK.C. A UDP session with packets sent and received.D. A UDP session with only one packet received.

Answer: BC

QUESTION 93View the exhibit, which contains a session entry, and then answer the question below.

Which statement is correct regarding this session?

A. It is an ICMP session from 10.1.10.10 to 10.200.1.1.B. It is an ICMP session from 10.1.10.10 to 10.200.5.1.C. It is a TCP session in ESTABLISHED state from 10.1.10.10 to 10.200.5.1.D. It is a TCP session in CLOSE_WAIT state from 10.1.10.10 to 10.200.1.1.

Answer: A

QUESTION 94View the exhibit, which contains a screenshot of some phase-1 settings, and then answer the question below.

The VPN is up, and DPD packets are being exchanged between both IPsec gateways; however, traffic cannot pass through the tunnel. To diagnose, the administrator enters these CLI commands:

However, the IKE real time debug does not show any output. Why?

A. The debug output shows phases 1 and 2 negotiations only. Once the tunnel is up, it does not show any more output.B. The log-filter setting was set incorrectly. The VPN’s traffic does not match this filter.C. The debug shows only error messages. If there is no output, then the tunnel is operating normally.D. The debug output shows phase 1 negotiation only. After that, the administrator must enable the following real time debug: diagnose debug application ipsec -1.

Answer: D

QUESTION 95View the exhibit, which contains the output of a diagnose command, and then answer the question below.

What statements are correct regarding the output? (Choose two.)

A. This is an expected session created by a session helper.B. Traffic in the original direction (coming from the IP address 10.171.122.38) will be routed to the next- hop IP address 10.0.1.10.C. Traffic in the original direction (coming from the IP address 10.171.122.38) will be routed to the next- hop IP address 10.200.1.1.D. This is an expected session created by an application control profile.